The BeyondTrust integration replaces password-based authentication for Privileged Remote Access and Remote Support with verified biometric login.
Integration type
Helpdesk
Overview
1Kosmos integrates with BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support as a SAML 2.0 identity provider, enabling representatives and administrators to authenticate using biometric passwordless login via the 1Kosmos mobile app. Once configured, users who access the BeyondTrust login page are redirected to 1Kosmos for biometric verification before being returned to their privileged session.
What we solve
BeyondTrust PRA/Remote Support environments need stronger assurance that privileged representatives and admins are the right individuals before granting access to high-risk remote sessions. This integration configures 1Kosmos as the SAML 2.0 identity provider so privileged logins are protected with biometric, passwordless authentication, reducing credential theft and session hijacking risk.
The SAML configuration is performed in the BeyondTrust admin console under Users and Security → Security Providers. BeyondTrust supports uploading IdP metadata directly, which simplifies the setup by auto-populating the SSO URL and certificate fields from the 1Kosmos metadata file. BeyondTrust also allows downloading its own SP metadata for import into AdminX.
The integration uses HTTP POST binding. Both IdP-initiated and SP-initiated SSO flows are supported depending on BeyondTrust configuration.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
BeyondTrust administrator access: Admin rights to the BeyondTrust admin console, including access to Users and Security → Security Providers.
BeyondTrust version compatibility: SAML SSO is available on BeyondTrust PRA and Remote Support. Confirm your deployment version supports SAML from the BeyondTrust documentation at docs.beyondtrust.com.
Group policy configured in BeyondTrust: At least one BeyondTrust group policy must exist before adding the SAML security provider, as all authenticating users must be assigned to a policy.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for BeyondTrust:
Field | Where to find it |
|---|---|
SAML Metadata URL or XML file | AdminX → Settings → IdP Configuration → Metadata URL (or download XML) |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from BeyondTrust (SP) for AdminX:
Field | Where to find it |
|---|---|
ACS URL (Assertion Consumer Service URL) | BeyondTrust admin console → Users and Security → Security Providers → SAML2 → Service Provider Settings section |
SP Entity ID | Same Service Provider Settings section; this is your BeyondTrust site URL |
SP Metadata (optional) | Click Download Service Provider Metadata in the Security Providers screen to export for import into AdminX |
Integration steps
Step 1: Add the SAML security provider in BeyondTrust
Log in to the BeyondTrust admin console at your site URL (e.g., https://your-site.beyondtrustcloud.com/login).
Navigate to Users and Security → Security Providers.
Click Add and select SAML2 from the dropdown.
In the Identity Provider Configuration section, click Upload Identity Provider Metadata and upload the 1Kosmos metadata XML file, or manually enter the 1Kosmos SSO URL and paste the signing certificate.
In the Service Provider Settings section, note the ACS URL and Entity ID values displayed. You will need these for AdminX.
Under User Attribute Settings, confirm the Username attribute is set to the field that matches the NameID value sent by 1Kosmos (typically email).
Under Authorization Settings, assign a Default Group Policy. This is required for all SAML-authenticated users who are not specifically mapped to another group.
Save the configuration.
Step 2: Add BeyondTrust as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "BeyondTrust PRA" or "BeyondTrust Remote Support" as the Application Name, set Instance to Production, and enter the BeyondTrust login URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username) and any group attributes required by your BeyondTrust group policy configuration. Click Next.Enter the BeyondTrust SP Entity ID and ACS URL. Set Method to POST, enable Assertion signing, and click Save.
Step 3: Test the integration
Log out of BeyondTrust completely.
Navigate to the BeyondTrust login page and click Use SAML Authentication.
You will be redirected to the 1Kosmos login screen. Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to BeyondTrust as an authenticated representative or administrator with the correct group policy applied.
Test with a single account before enabling SAML as the required authentication method for all users.
Attribute mappings
Source (1Kosmos) | Target (BeyondTrust) | Description |
|---|---|---|
user.email | Username (NameID) | Primary identifier for user lookup in BeyondTrust |
user.email | E-mail attribute | Email address for the authenticated user |
group membership (optional) | Groups attribute | Group name for policy assignment; configure in AdminX claims mapping if used |
Integration notes
BeyondTrust uses the SSO URL protocol binding setting (HTTP Redirect or HTTP POST) to determine how it communicates with the identity provider.
If 1Kosmos requires POST binding, confirm this is set correctly in the Security Provider configuration. If request signing is enabled in BeyondTrust, the SSO binding is automatically restricted to HTTP Redirect.
For organizations using BeyondTrust for both Privileged Remote Access and Remote Support, each product requires a separate SAML security provider configuration, though both can point to the same 1Kosmos IdP.
